Local Reasoning for the POSIX File System

Gardner, Philippa; Ntzik, Gian; Wright, Adam

doi:10.1007/978-3-642-54833-8_10

Cited by 23 publications

(16 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Another direction for future work involves extending existing specifications for file systems [5,9] with our framework. This will allow both the verification of interesting clients programs, such as fault-tolerant software installers or persisted message queues, and the verification of fault-tolerant databases and file systems.…”

Section: Discussionmentioning

confidence: 99%

“…However, these techniques have been based on building models that are specific to the particular application and recovery strategy, and are difficult to reuse. Program logics based on separation logic have been successful in reasoning about file systems [5,9] and concurrent indexes [16] on which database and file systems depend. However, as is typical with Hoare logics, their specifications avoid host failures, assuming that if a precondition holds then associated operations will not fail.…”

Section: Related Workmentioning

confidence: 99%

See 1 more Smart Citation

Fault-Tolerant Resource Reasoning

Ntzik

Pinto

Gardner

2015

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

Abstract. Separation logic has been successful at verifying that programs do not crash due to illegal use of resources. The underlying assumption, however, is that machines do not fail. In practice, machines can fail unpredictably for various reasons, e.g. power loss, corrupting resources. Critical software, e.g. file systems, employ recovery methods to mitigate these effects. We introduce an extension of the Views framework to reason about such methods. We use concurrent separation logic as an instance of the framework to illustrate our reasoning, and explore programs using write-ahead logging, e.g. an ARIES recovery algorithm.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Fault-Tolerant Resource Reasoning

Ntzik

Pinto

Gardner

2015

Programming Languages and Systems

Self Cite

View full text Add to dashboard Cite

show abstract

“…Finally, Gardner et al [19] describe a logic for reasoning about tree structures, such as the POSIX file system and Ridge et al [30] provide a specification of the POSIX filesystem. These works are orthogonal to ours; while they do not directly pertain to proving crash recovery, they provide a rigorous separation between applications and OS implementations.…”

Section: Recoverability and Storage Systemsmentioning

confidence: 99%

“…These kinds of bugs can be particularly frustrating because, even when it has been formally proved for a program P that P ⊧ ϕ, the proof is foiled by these external events that crash and restart the program. Some recent efforts [7,8,19,26] notwithstanding, this space remains largely unexplored: little backbone has been developed for understanding what it means for a program to correctly recover from a crash from a verification perspective.…”

Section: Introductionmentioning

confidence: 99%

Reducing crash recoverability to reachability

Koskinen

Yang

2016

SIGPLAN Not.

View full text Add to dashboard Cite

Software applications run on a variety of platforms (filesystems, virtual slices, mobile hardware, etc.) that do not provide 100% uptime. As such, these applications may crash at any unfortunate moment losing volatile data and, when re-launched, they must be able to correctly recover from potentially inconsistent states left on persistent storage. From a verification perspective, crash recovery bugs can be particularly frustrating because, even when it has been formally proved for a program that it satisfies a property, the proof is foiled by these external events that crash and restart the program.In this paper we first provide a hierarchical formal model of what it means for a program to be crash recoverable. Our model captures the recoverability of many real world programs, including those in our evaluation which use sophisticated recovery algorithms such as shadow paging and write-ahead logging. Next, we introduce a novel technique capable of automatically proving that a program correctly recovers from a crash via a reduction to reachability. Our technique takes an input control-flow automaton and transforms it into an encoding that blends the capture of snapshots of pre-crash states into a symbolic search for a proof that recovery terminates and every recovered execution simulates some crashfree execution. Our encoding is designed to enable one to apply existing abstraction techniques in order to do the work that is necessary to prove recoverability.We have implemented our technique in a tool called ELEVEN82, capable of analyzing C programs to detect recoverability bugs or prove their absence. We have applied our tool to benchmark examples drawn from industrial file systems and databases, including GDBM, LevelDB, LMDB, PostgreSQL, SQLite, VMware and ZooKeeper. Within minutes, our tool is able to discover bugs or prove that these fragments are crash recoverable.

show abstract

“…Gardner et al [18] have proposed a formal model of Posix file system based on separation logic. The semantics of Posix operations are captured with preconditions and postconditions in a Hoare-logic style.…”

mentioning

confidence: 99%

Co-Design and Verification of an Available File System

Shapiro

Eugster

2017

Lecture Notes in Computer Science

View full text Add to dashboard Cite

Abstract. Distributed file systems play a vital role in large-scale enterprise services. However, the designer of a distributed file system faces a vexing choice between strong consistency and asynchronous replication. The former supports a standard sequential model by synchronising operations, but is slow and fragile. The latter is highly available and responsive, but exposes users to concurrency anomalies. In this paper, we describe a rigorous and general approach to navigating this trade-off by leveraging static verification tools that allow to verify different file system designs. We show that common file system operations can run concurrently without synchronisation, while still retaining a semantics reasonably similar to Posix hierarchical structure. The one exception is the move operation, for which we prove that, unless synchronised, it will have an anomalous behaviour.

show abstract

Local Reasoning for the POSIX File System

Abstract: Abstract. We provide a program logic for specifying a core subset of the sequential POSIX file system, and for reasoning abstractly about client programs working with the file system.

Cited by 23 publications

References 21 publications

Fault-Tolerant Resource Reasoning

Fault-Tolerant Resource Reasoning

Reducing crash recoverability to reachability

Co-Design and Verification of an Available File System

Contact Info

Product

Resources

About